The California Consumer Privacy Act of 2018 (CCPA)
California became the first state to enact comprehensive data protection legislation with its June 28, 2018 passage of the California Consumer Privacy Act of 2018 (CCPA). The expansive new privacy law will impose significant obligations and restrictions on many businesses that handle the personal information (PI) of California residents.
Who does the CCPA protect?
The CCPA protects “consumers,” which it defines as California residents. This means that the CCPA applies to PI relating to any California resident, regardless of a business’s relationship to the individual.
Who must comply with the CCPA’s requirements?
The CCPA applies to any entity that collects PI relating to California residents, determines the purposes and means of processing of the PI, does business in California, and meets one of the following thresholds:
- Has annual gross revenues in excess of $25 million.
- Annually buys, receives for its commercial purposes, sells, or shares for commercial purposes PI relating to 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenue from selling consumer PI.
What qualifies as Personal Information?
The CCPA defines PI broadly to include any information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition specifically includes items that indirectly identify a unique person, such as an alias, unique personal identifier, or other online identifier.
The PI definition also includes, but is not limited to, 11 enumerated categories of information relating to consumers. Several of those categories contain information that US privacy laws do not typically reference in PI definitions, such as:
- Commercial information, including purchasing or consuming histories or tendencies.
- Internet activity, such as browsing patterns, search history, or a consumer’s interaction with a website, application, or advertisement.
- Inferences drawn from any of the enumerated categories of PI.
While the CCPA defines PI in detail, the definition’s reference to information linked to a particular household, which could include any child, spouse, or even roommate, creates uncertainty regarding its scope.
What are the compliance requirements?
The CCPA imposes a number of obligations in connection with the individual rights the CCPA creates for consumers:
- Right to Deletion. Businesses must delete—and direct service providers to delete—any PI collected about a consumer who submits a verified deletion request. The CCPA includes nine exceptions to this requirement, which will need to be carefully considered when implementing procedures to comply with a consumer’s deletion request.
- Right to Access and Portability. Businesses must disclose in response to a verified consumer request:
- categories of PI collected;
- categories of PI sold to a third party;
- categories of PI disclosed for a business purpose;
- categories of third parties to whom the business sold or disclosed PI for a business purpose;
- the business or commercial purpose for which PI was collected or sold;
- the categories of sources from which PI was collected; and
- the “specific pieces” of PI a business collected about an individual.
- Businesses must provide this information as it relates to PI handled within the year preceding the request and “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.”
- Right to Opt Out. Businesses must enable and honor consumer requests to opt out of the sale of PI. For consumers ages 16 and under, businesses must obtain express consent to sell PI.
- Right to be Free from Discrimination. Businesses cannot charge different prices or rates to consumers, provide different services, or deny goods or services to consumers who exercise their rights under the CCPA. There are exceptions to this requirement, and the CCPA also allows businesses to offer financial incentives to collect, sell, or not delete PI.
Businesses must disclose these rights to consumers in their privacy policies and any California-specific description of consumers’ privacy rights, as well as list the categories of PI that businesses collected, sold, or disclosed for a business purpose within the last 12 months. To help consumers easily exercise their “opt out” rights, businesses must also include a “Do Not Sell My Personal Information” link, for example, on their homepages.
In practice, will the law apply everywhere in the United States? Or, will companies interacting with California residents offer two privacy policies or adopt two ways of handling personal information?
Each covered business will have to decide whether to extend the CCPA’s privacy rights to non-California residents. A number of practical and competitive considerations impact this decision, including:
- Whether the business can easily and effectively distinguish between information relating to California residents and information relating to residents of other states.
- The impact on customer relations of telling non-California customers that they do not have the same privacy rights as California customers.
- The legal risks associated with voluntarily making privacy-related representations to consumers throughout the US and thus functionally creating a legal obligation in all 50 states to live up to those representations.
- The likelihood that other states may follow California’s lead and impose their own privacy obligations, which may or may not track the CCPA.
It is possible that given the steps businesses will need to take to comply with the CCPA that it may make operational sense for businesses to implement nationwide procedures. But businesses will need to think through various considerations, including those above, as well as how, if at all, they can distinguish between California and non-California residents in complying with the CCPA.
What steps should businesses seeking to comply with the law take next?
Businesses will need to be compliance-ready by the CCPA’s January 1, 2020 effective date. While regulations will be forthcoming that will impact compliance efforts (along with, potentially, legislative amendments), there are some immediate steps that businesses should consider, both for compliance purposes and to determine key areas for advocacy:
- Track data streams. To respond to consumer requests and update privacy policies, businesses will need to know:
- when and how they collect PI about California residents;
- where they store that information and for how long; and
- with whom they share that information.
- The CCPA defines PI broadly, so fully canvassing how the business handles consumer PI becomes important.
- Identify operational challenges that compliance may pose. Consider what systems and processes need to be in place to implement the deletion, access, portability, and opt out requirements and consider which aspects of those requirements are the most burdensome (or even impossible). This will help inform advocacy efforts to amend the CCPA’s most onerous or ambiguous provisions.
- Develop processes to enable compliance. Businesses should develop processes needed to comply with the CCPA’s key provisions, including:
- setting up a toll-free number and web address for consumers to submit requests, and designating an individual to monitor and respond to requests;
- verifying the identity and authorization of consumers making access or deletion requests;
- designating individuals to respond to requests within 45 days;
- setting up mechanisms to honor opt out requests and obtaining consent to sell PI for consumers under 16; and
- updating privacy-related disclosures, such as online privacy policies.
- Consider alternative business practices. Consider whether and how to change handling of consumer PI given the CCPA’s requirements as well as explore options under the anti-discrimination provision of the CCPA, including alternative pricing models and financial incentives to offer to consumers relating to the collection, sale, and deletion of their PI.
What is the significance of the January 2020 effective date? Will enforcement start then?
Businesses must be ready to comply with the CCPA when it goes into effect on January 1, 2020. Consumers will likely begin making requests under the law immediately after it goes into effect, and some may seek to test the CCPA’s private right of action for general violations soon thereafter.
What about businesses covered by sector-specific privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or California’s Confidentiality in Medical Practices Act? Do they need to comply with both the CCPA and their sectoral laws? What happens if they conflict?
The CCPA includes several exceptions based on specific federal privacy laws, including HIPAA, the GLBA, the Fair Credit Reporting Act (FCRA), and the Driver’s Privacy Protection Act (DPPA). In general, however, these exceptions are focused only on information subject to or otherwise handled pursuant to these specific laws (as opposed to entities subject to those laws). As a result, even if broadly construed, the exceptions would not apply to information about California residents that is not covered by these federal laws.
More importantly, several exceptions, including the GLBA and DPPA exceptions, apply only to the extent the CCPA conflicts with the federal standards. The term “conflict” could be interpreted narrowly to mean that a business is unable to comply both with the CCPA and the federal standards as a result of a conflict. If interpreted narrowly, these exceptions may not provide meaningful relief unless a court concludes there is, in fact, a conflict. Because the CCPA creates new privacy obligations not covered in these laws, like the right to deletion, it is possible that courts would not find an actual conflict.